Microcircuits implementing a cryptographic algorithm are equipped with a central processing unit (CPU). Some are equipped with circuits dedicated to cryptographic computing, for example a cryptographic coprocessor. These microcircuits include thousands of logic gates that switch differently according to the operations executed. These switches create short variations in current consumption, for example of a few nanoseconds that can be measured. In particular, CMOS-type integrated circuits include logic gates that only consume current when they switch, i.e. when a logic node changes to 1 or to 0. Therefore, the current consumption depends on the data handled by the central unit and on its various peripherals: memory, data flowing on the data or address bus, cryptographic coprocessor, etc.
Furthermore, certain software programs, produced in particular using encryption or obfuscation techniques, such as the “Whitebox Cryptography” technique, may integrate a secret data in such a way that it is very difficult to determine it by reverse engineering. Certain software programs may also receive a secret data from outside through a secure communication channel. Such microcircuits may be subjected to so-called side channel analysis attacks based on observing their current consumption, or their magnetic or electromagnetic radiation, or any other information that can be observed while a cryptographic algorithm is executed. Such attacks aim to discover the secret data they use, in particular their encryption keys. Frequent side channel attacks implement statistical analysis methods such as SPA (“Single Power Analysis”), DPA (“Differential Power Analysis”), CPA (“Correlation Power Analysis”) or EMA (“ElectroMagnetic Analysis”). SPA analysis normally only requires the acquisition of a single current consumption trace. It aims to obtain information about the activity of the integrated circuit by observing the part of the consumption trace corresponding to a cryptographic computation, since the current trace varies according to the operations executed and the data handled.
Software may also undergo such side channel attacks during their execution by a circuit.
DPA and CPA analyses enable the key of an encryption algorithm to be found by acquiring numerous data or measurement traces and by statistically analyzing these traces to find the information searched for. They are based on the assumption that the consumption of a CMOS-type integrated circuit varies when a bit changes from 0 to 1 in a register or on a bus, and does not vary when a bit remains equal to 0, remains equal to 1 or changes from 1 to 0 (discharge of the stray capacitance of the MOS transistor). Alternatively, it can be considered that the consumption of a CMOS-type integrated circuit varies when a bit changes from 0 to 1 or changes from 1 to 0 and does not vary when a bit remains equal to 0 or remains equal to 1. This second hypothesis enables the conventional “Hamming distance” or “Hamming weight” functions to be used to develop a consumption model that does not require the structure of the integrated circuit to be known to be applicable. DPA analysis involves amplifying this consumption difference using statistical processing on numerous consumption traces, aiming to highlight a measurement difference between two families of consumption traces distinguished according to formulated hypotheses.
CPA analysis is based on a linear current consumption model and involves computing a correlation coefficient between, firstly, the consumption points measured that form the captured consumption traces and, secondly, an estimated consumption value, computed from the linear consumption model and a hypothesis on the variable to be discovered that is handled by the microcircuit and on the value of the encryption key.
Electromagnetic analysis (EMA) is based on the principle that a microcircuit may leak information in the form of near or far field electromagnetic radiation. Given that transistors emit electromagnetic signals when their state changes, these signals can be treated like the current consumption variation signals by an analysis such as one or other of the SPA, DPA and CPA analyses.
Other side channel attacks exist, such as “Template attacks” and “Mutual Information Analysis” (MIA). All of the above-mentioned attacks are based on a time alignment of all the analyzed traces. In other words, all the measurements performed at a given time, for example from the time the execution of a command is activated by the circuit, must correspond to the same value handled by the algorithm.
To protect such circuits and the cryptographic algorithms they execute against such side channel attacks, counter-measures are generally provided. One type of counter-measure aims to avoid such a time alignment. For this purpose, these type of counter-measures introduce variations in the clock frequency supplied to the calculation circuits, or introduce dummy clock cycles or dummy operations.
In some instances, it may be possible to restore this time alignment, through specific expertise and many attempts, e.g., using a high number of traces to be realigned and/or applying signal processing. In any event, cases remain where it is not possible to restore this time alignment, such that the side channel tests fail even though there is a secret data leakage present in the traces.
Another type of counter-measure involves executing a ciphering method several times using false keys. In such instances, a counter-measure program can be provided that, for example, controls the ciphering program or a coprocessor, and makes it execute the ciphering method several times with the false keys and/or the false data, in a random order, such that the execution of the ciphering method with the right key (e.g., the authentic key) is “hidden” in a set of dummy executions. Such counter-measures, using multiple executions, offer an advantage that they can be implemented with a conventional coprocessor that does not implement any specific counter-measures.
Another type of counter-measure involves adapting a given algorithm to be protected to render the data handled by the circuit independent of their actual values. Certain counter-measures of this type—that can be referred to as “masking-type counter-measures”—use a random mask (binary number) that is combined with another data to be protected such as the key and/or the message during the execution of the ciphering method. This type of counter-measure is effective but requires the algorithm to be modified, and thus requires a coprocessor specially provided for its implementation in the case of execution by a coprocessor, or a more complex program in the case of execution by the central processing unit of the microcircuit or a programmed coprocessor. In addition this type of counter-measure is vulnerable to so-called “second order attacks” which are based on analysis of a set of signal traces that can each be obtained by combining two parts of a respective trace. As an example, each of these signal traces combines a signal part that can include a leakage related to a data resulting from the combination of a data value to discover and a random mask value, and a signal part that can include a leakage of the random mask value. Different approaches can be used to combine time signal parts to obtain a signal trace related to the data value to discover. However, such second order attacks can be difficult to accomplish due to the requirement that the combined signal parts need to be strictly aligned in time before being combined. If this requirement is not fulfilled, the combined signal traces will not contain useful information that can be extracted by conventional statistical analyses, or, even if the combined signal traces do contain useful information, this information cannot be extracted by conventional statistical analyses. As a consequence, such second order attacks can be highly sensitive to counter-measures based on various kinds of time misalignment, such as those causing a duration of the clock cycle supplied to a circuit to vary randomly, or those introducing dummy processing cycles or operations at randomly chosen times.
To check the level of security offered by a secure integrated circuit intended to be marketed, qualification and/or certification tests are planned before the circuit is marketed, where these tests can include tests of the robustness of the integrated circuit to side channel analyses aiming to discover the secret data handled by the integrated circuit. There are also tests enabling the resistance of a software program to side channel attacks to be assessed.